XSS-Dec: A Hybrid Solution to Mitigate Cross-Site Scripting Attacks

Sundareswaran, Smitha; Squicciarini, Anna

doi:10.1007/978-3-642-31540-4_17

Cited by 8 publications

(3 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Client and server hybrids. XSS-Dec [39] uses a proxy which keeps track of an encrypted version of the server's source files, and applies this information to derive exploits in a page visited by the user. This approach is similar to ours, since we assume previous knowledge of the clean HTML document.…”

Section: Related Workmentioning

confidence: 99%

“…Informally, the cause of XSS is a lack of input sanitization: user-chosen data "escapes" into a page's template and makes its way into the JavaScript engine, or modifies the DOM. Consequently, many of the XSS defenses published so far propose to fix the problem at the source, by properly separating the template from the user data on the server, or by modifying browsers [26,30,39,40]. There are also similar solutions that can be implemented in the front-end code of an application [25].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Precise XSS detection and mitigation with Client-side Templates

Pazos,

Legare,

Beschastnikh

et al. 2020

Preprint

View full text Add to dashboard Cite

We present XSnare, a fully client-side Cross-Site Scripting (XSS) solution, implemented as a Firefox extension. Our approach takes advantage of available previous knowledge of a web application's HTML template content, as well as the rich context available in the DOM to block XSS attacks. XSnare prevents XSS exploits by using a database of exploit descriptions, which are written with the help of previously recorded CVEs. CVEs for XSS are widely available and are one of the main ways to tackle zero-day exploits. XSnare effectively singles out potential injection points for exploits in the HTML and sanitizes content to prevent malicious payloads from appearing in the DOM.XSnare can protect application users before application developers release patches and before server operators apply them.We evaluated XSnare on 81 recent CVEs related to XSS attacks, and found that it defends against 94.2% of these exploits. To the best of our knowledge, XSnare is the first protection mechanism for XSS that is application-specific, and based on publicly available CVE information. We show that XSnare's specificity protects users against exploits which evade other, more generic, anti-XSS approaches.Our performance evaluation shows that our extension's overhead on web page loading time is less than 10% for 72.6% of the sites in the Moz Top 500 [1] list. * Dr. Aiello has provided crucial expert advice and insight in the early stages of the project. We miss him dearly.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Precise XSS detection and mitigation with Client-side Templates

Pazos,

Legare,

Beschastnikh

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…For example, there are many detection and prevention methods of SQL injection, they are either signature-based such in Shanmughaneethi et al (2009), behaviour-based (Pinzón et al, 2013), grammar-based (Bisht et al, 2010;Kemalis and Tzouramanis, 2008), or taint-based (Jan et al, 2010;Alazab et al, 2011;Tateishi and Tabuchi, 2007;Papagiannis et al, 2011). The XSS detection and prevention methods are also categorised in the same way as the SQL injection detection and prevention methods, they are either signaturebased (Shanmughaneethi et al, 2009), or behaviour-based (Sundareswaran and Squicciarini, 2012), or grammar-based (Chandra and Selvakumar, 2011), or taint-based (Avancini and Ceccato, 2010). In order to protect against CSRF attacks (also known as XSRF, 'sea surf', session riding, CSRF, hostile linking, and one-click attack), OWASP developed a server-side CSRF protection mechanism for Apache (called mod_csrfprotector), Java (called CSRFGuard) and PHP (called CSRF-protector-PHP).…”

Section: Figurementioning

confidence: 99%

SPHERES: an efficient server-side web application protection system

Fredj

2019

IJICS

View full text Add to dashboard Cite

While the web attacks grow in number and manner, the current web protection methods fail to follow this evolution. This paper introduces a new design of a web application protection method called SPHERES. The main idea behind SPHERES is that it is placed in the application server; it intercepts the decrypted traffic, and checks it against a set of filtering rules specific to the requests. This design allows SPHERES to have the most accurate picture of the exchanged traffic, the websites structures and workflows, the user sessions and their states, and the system states. This accurate picture of the total system allows SPHERES to build a protection sphere around the website and checks several types and levels of protections efficiently. In addition to the detection of known attacks, SPHERES is able to detect zero-day attacks at runtime. The performance study of SPHERES shows that it is much better than two famous existing web protection tools.

show abstract

Protecting the Augmented Browser Extension from Mutation Cross-Site Scripting

Remya

Praveen

2015

Advances in Intelligent Systems and Computing

View full text Add to dashboard Cite

XSS-Dec: A Hybrid Solution to Mitigate Cross-Site Scripting Attacks

Cited by 8 publications

References 14 publications

Precise XSS detection and mitigation with Client-side Templates

Precise XSS detection and mitigation with Client-side Templates

SPHERES: an efficient server-side web application protection system

Protecting the Augmented Browser Extension from Mutation Cross-Site Scripting

Contact Info

Product

Resources

About